<?php
include($_SERVER["DOCUMENT_ROOT"]."/bob.php");
include($_SERVER["DOCUMENT_ROOT"]."/fonctions_globales.php");
$mysqli = new_mysqli($host, $user, $password, $database); //connection à la DB

if(@$_SESSION['grad'] != "admin"){
		header("Location: /accueil");
		exit();
}

$login = $mysqli->real_escape_string(get_data_ss_tag($_SESSION['login']));
$titre = $mysqli->real_escape_string(strip_tags(@$_POST['titre']));
main_body($mysqli, "Adminews");

if((@$_POST['new'] != "" || @$_POST['choix'] != "" || @$_POST['new2'] != "") && $_POST['idefix'] != md5(session_id().$_SESSION['id']))
{echo "<p align='center'>Il semblerai que vous ayez été victime d'une tentative de piratage. 
La page où vous étiez précédemment a été créée pour détourner votre session.</p>"; exit;}

if(@$_POST['new'] != "") {
 $new2 = $mysqli->real_escape_string(strip_tags($_POST['new'], "<a><b><i><u><img><font><iframe><div>"));
 $date2 = strtotime("now");
 mysqli_query_with_error($mysqli, "INSERT INTO news(new, titre, date, auteur) VALUES('$new2', '$titre', $date2, '$login')");
 echo "Good man!";
}

if(@$_POST['choix'] != ""){
 $ID2= get_num($_POST['choix']);
 mysqli_query_with_error($mysqli, "DELETE FROM news WHERE ID = $ID2");
 echo "Destroy man!";
}

if(@$_POST['new2'] != ""){
 $new2 = $mysqli->real_escape_string(strip_tags($_POST['new2'], "<a><b><i><u><img><font><iframe><div>"));
 $ID2 = get_num($_POST['ID']);
 mysqli_query_with_error($mysqli, "UPDATE news SET new = '$new2', titre = '$titre' WHERE ID = $ID2");
 echo " Modif ok!";
}



$champ_secu = "<input type='hidden' name='idefix' value='".md5(session_id().$_SESSION['id'])."'>";
echo "<p align='center'><font size='7'>Adminews</font></p><p align='center'>
<img border='0' src='images/invers.gif'><br>Bienvenue $login<br><br><table border='1' width='100%'><tr><td>
<form action='adminews.php' method='POST'>$champ_secu<p align='center'>Poster une nouvelle news(haha)<br><br>
Titre : <input type='text' name='titre'>  <br><br><textarea name='new' cols='40' rows='8'></textarea><br><br>
<p align='center'><input type='submit' value='Fight!'></form></td><td>";

$result_news = mysqli_query_with_error($mysqli, "SELECT * FROM news ORDER BY date DESC");
$ID2 = get_num(@$_POST['newselect']);
if($ID2 != 0){
 $messa = get_data_in_db($mysqli, "news", "ID", $ID2, "new");
 $titre = get_data_in_db($mysqli, "news", "ID", $ID2, "titre");
 echo"<form action='adminews.php' method='POST'>$champ_secu<p align='center'>
 Modifier : <input type='text' name='titre' value='$titre'> <br><br><textarea name='new2' cols='40' rows='8'>$messa</textarea> <br><br>
 <p align='center'><input type='hidden' name='ID' value='$ID2'>
 <input type='submit' value='Modif'></form>";
} 
else{
	echo "<form action='adminews.php' method='POST'><p align='center'>Modifier une news existante<br><br> Laquelle ? : <select name='newselect'>";
	while($ligne = $result_news->fetch_assoc())
		echo "<option value='{$ligne['ID']}'>New du ".datouille($ligne['date'], false);
		echo "</select> <br><br><p align='center'><input type='submit' value='Select'></form>";
}
echo "</td></tr></table><p align='center'>Effacer une new<br><table border='1' width='100%'><form action='adminews.php' method='post'>$champ_secu";

$result_news->data_seek(0);
while($ligne = $result_news->fetch_assoc()){
	 $dat = datouille($ligne['date'], false);
	 $news_txt = nl2br($ligne['new']);
	 $auteur = get_data_propre_sortie_db($ligne['auteur']);
	 echo "<tr><td><input type='radio' name='choix' value='{$ligne['ID']}'></td> <td>Le $dat : $news_txt</p><p align='right'>$auteur<br></p><br></td></tr>";
}
echo"</table><br><input type='submit' value='Destroy!' onclick='return confirm(\"Cest ton dernier mot ?\");'></form>";
?>
</body></html>